• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

FreeBSD fts Library Buffer Overflow Vulnerability

Solution:
This problem can be worked around via preventing coredumps from the periodic(3) program. However, this is NOT a suggested long term fix. The fts overflow could quite likely be exploited via any number of SUID scripts. The best solution for this is to apply the patch referenced later in this Solution. However, immediate work around information is as follows:

# mv /usr/sbin/periodic /usr/sbin/periodic.bin
# cat > /usr/sbin/periodic
#!/bin/sh
ulimit -c 0
/usr/sbin/periodic.bin $*
^D
# chmod 555 /usr/sbin/periodic

Apply the following patches to libc and do a make world. Please also see the companion advisory FreeBSD-SA-99:04.core.asc in the advisories directory of our ftp site for details on the kernel portions of this fix.

Index: lib/libc/gen/fts.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/gen/fts.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- fts.c 1999/08/15 19:21:29 1.10
+++ fts.c 1999/09/02 07:45:07 1.11
@@ -963,6 +963,24 @@
return (sp->fts_path == NULL);
}

+static void
+ADJUST(p, addr)
+ FTSENT *p;
+ void *addr;
+{
+ if ((p)->fts_accpath >= (p)->fts_path &&
+ (p)->fts_accpath < (p)->fts_path + (p)->fts_pathlen) {
+ if (p->fts_accpath != p->fts_path)
+ errx(1, "fts ADJUST: accpath %p path %p",
+ p->fts_accpath, p->fts_path);
+ if (p->fts_level != 0)
+ errx(1, "fts ADJUST: level %d not 0", p->fts_level);
+ (p)->fts_accpath =
+ (char *)addr + ((p)->fts_accpath - (p)->fts_path);
+ }
+ (p)->fts_path = addr;
+}
+
/*
* When the path is realloc'd, have to fix all of the pointers in structures
* already returned.
@@ -974,18 +992,18 @@
{
FTSENT *p;

-#define ADJUST(p) { - (p)->fts_accpath = - (char *)addr + ((p)->fts_accpath - (p)->fts_path); +#define ADJUST1(p) { + if ((p)->fts_accpath == (p)->fts_path) + (p)->fts_accpath = (addr); (p)->fts_path = addr; }
/* Adjust the current set of children. */
for (p = sp->fts_child; p; p = p->fts_link)
- ADJUST(p);
+ ADJUST(p, addr);

/* Adjust the rest of the tree. */
for (p = sp->fts_cur; p->fts_level >= FTS_ROOTLEVEL;) {
- ADJUST(p);
ADJUST(p, addr);
p = p->fts_link ? p->fts_link : p->fts_parent;
}
}